Website Vulnerability Scanning for Beginners: Free Tools and Step-by-Step Guide

You Can Check Your Own Website's Security (Up to a Point)

Most business owners have never tested the security of their own website. They assume the web agency that built it handled security, or that their hosting provider takes care of it. Sometimes that is true. Often it is not.

The good news: there are free tools that let you run basic security checks right now, without installing anything, without technical expertise, and without spending a cent. These tools will not find everything, but they will catch the most common problems and give you a clear picture of your website's security posture.

This guide walks you through five free tools, explains what each one tests, how to use it, and what the results mean. We will also clarify the line between what you can do yourself and when you should bring in a professional.

Vulnerability Assessment vs Penetration Testing: Know the Difference

Before we get into the tools, let us clear up a common confusion. These two terms get mixed up constantly, and they describe very different things.

Vulnerability Assessment

A vulnerability assessment identifies known weaknesses in your website or infrastructure. It uses automated tools to scan for common issues: missing security headers, outdated software, weak SSL configurations, open ports, known CVEs. It tells you "here are problems that exist." It does not attempt to exploit those problems.

This is what the tools in this article do. You can run a vulnerability assessment yourself.

Penetration Testing

A penetration test (pen test) goes further. A security professional actively tries to exploit vulnerabilities to see how far they can get. They might chain multiple small weaknesses together, attempt SQL injection, test authentication bypasses, or try to escalate privileges. A pen test tells you "here is what an attacker could actually do with these weaknesses."

Penetration testing requires expertise, authorization, and a structured methodology. It is not something you do yourself unless you are a security professional. If you want to understand the full picture of how attackers target business websites, read our article on how business websites get hacked.

Tool 1: Mozilla Observatory

What It Tests

Mozilla Observatory checks your website's HTTP response headers, cookies, and other security-related configurations. It gives you a letter grade (A+ through F) and tells you exactly what is missing or misconfigured.

How to Use It

1. Go to observatory.mozilla.org
2. Enter your website URL
3. Click "Scan Me"
4. Wait about 30 seconds for results

What the Scores Mean

The Observatory checks for a list of security best practices and scores each one. Here are the most common checks:

• Content-Security-Policy (CSP): This header tells browsers which resources (scripts, styles, images) are allowed to load on your page. Without it, attackers can inject malicious scripts. Most sites fail this check because CSP is complex to configure correctly.
• HTTP Strict-Transport-Security (HSTS): This header tells browsers to always use HTTPS, even if someone types http://. Missing HSTS means a downgrade attack is possible.
• X-Content-Type-Options: Prevents browsers from guessing the type of a file (MIME sniffing), which can lead to security issues. Should be set to nosniff.
• X-Frame-Options: Controls whether your site can be embedded in an iframe on another site. Without it, clickjacking attacks are possible.
• Referrer-Policy: Controls how much referrer information is sent when users click links from your site.

We have written a detailed guide on security headers and another specifically about HTTP security headers for your website if you want to go deeper on this topic.

What to Do with the Results

A score of D or F means your website is missing basic security headers. This is common, especially on WordPress sites and older builds. The fix involves adding headers to your server configuration or through a plugin/middleware. If you scored B or above, your security headers are in reasonable shape. An A+ means your configuration is well above average.

Tool 2: Qualys SSL Labs Server Test

What It Tests

SSL Labs performs a deep analysis of your website's SSL/TLS configuration. It checks your certificate validity, supported protocols, cipher suites, and known vulnerabilities in your HTTPS setup.

How to Use It

1. Go to ssllabs.com/ssltest/
2. Enter your domain name (without https://)
3. Wait 2-3 minutes for the full scan

What the Grades Mean

• A+ or A: Your SSL/TLS configuration is solid. Certificate is valid, modern protocols are used, weak ciphers are disabled.
• B: Generally acceptable but some older protocols or cipher suites are still enabled. Should be improved.
• C or below: Significant issues. You may be supporting obsolete protocols (TLS 1.0, TLS 1.1) or using weak cipher suites.
• F: Your certificate is expired, self-signed, or there is a serious misconfiguration.
• T: Certificate is not trusted (usually means it is self-signed or the chain is broken).

We explain SSL certificates in plain language in our SSL certificates explained article, and our piece on why an SSL certificate alone is not enough explains what else you need beyond just having HTTPS.

What to Do with the Results

If you scored below A, the SSL Labs report will list specific issues. Common ones: TLS 1.0 or 1.1 still enabled (these should be disabled), HSTS not configured, or an incomplete certificate chain. Your hosting provider can fix most of these. If you manage your own server, the report gives you enough detail to know exactly what to change.

Tool 3: SecurityHeaders.com

What It Tests

SecurityHeaders.com is similar to Mozilla Observatory but focuses specifically on HTTP response headers. It gives you a quick letter grade and lists which headers are present, which are missing, and provides explanations for each.

How to Use It

1. Go to securityheaders.com
2. Enter your website URL
3. Click "Scan"
4. Results appear instantly

What to Do with the Results

This tool is useful as a quick second opinion alongside Mozilla Observatory. If both tools flag the same missing headers, those are your priority fixes. The site provides clear recommendations for each missing header, including the exact header value you should add.

Tool 4: OWASP ZAP (Zed Attack Proxy)

What It Is

OWASP ZAP is a free, open-source security testing tool maintained by the Open Worldwide Application Security Project (OWASP). Unlike the previous tools, ZAP runs on your computer and actively scans your website for vulnerabilities. It is more powerful and more complex than the browser-based tools above.

How to Use It (Basic Scan)

1. Download ZAP from zaproxy.org
2. Install it (available for Windows, macOS, and Linux)
3. Open ZAP
4. In the "Quick Start" tab, enter your website URL
5. Click "Attack" (this runs an automated scan)
6. Wait for the scan to complete (can take 10-60 minutes depending on your site's size)

Understanding the Results

ZAP categorizes findings by risk level:

• High (Red): Serious vulnerabilities that should be fixed immediately. Examples: SQL injection, cross-site scripting (XSS), broken authentication.
• Medium (Orange): Significant issues that attackers could use to gain information or cause limited harm. Examples: missing security headers, directory browsing enabled.
• Low (Yellow): Minor issues that provide information to attackers or represent best practice violations. Examples: server version disclosure, cookie without Secure flag.
• Informational (Blue): Not vulnerabilities per se, but observations that might be relevant.

ZAP will also flag potential false positives. Not every finding is a real vulnerability. This is where expertise matters: distinguishing a real SQL injection vulnerability from a false alarm requires understanding the context. If ZAP reports any High findings, take them seriously and consult a security professional if you are unsure.

If ZAP finds XSS vulnerabilities, our article explaining XSS attacks will help you understand what they mean and why they matter.

A Word of Caution

ZAP's automated scan sends a lot of requests to your website. On a small shared hosting plan, this can slow your site down or even trigger rate limiting from your host. Run scans during off-peak hours. Also, never run ZAP against a website you do not own. Unauthorized scanning is illegal in most jurisdictions, including Switzerland.

Tool 5: Nikto

What It Is

Nikto is a command-line web server scanner. It checks for outdated server software, dangerous files and CGIs, and server configuration problems. It is older than ZAP but still useful for a quick server-level check.

How to Use It

1. Install Nikto (it comes pre-installed on Kali Linux, or install via apt install nikto on Debian/Ubuntu, or brew install nikto on macOS)
2. Open a terminal
3. Run: nikto -h https://yourdomain.com
4. Wait for the scan to complete (typically 5-15 minutes)

Understanding the Results

Nikto outputs a list of findings directly in the terminal. Each line describes something it found. Common findings include:

• Server version disclosure (e.g., "Apache/2.4.41" visible in headers)
• Missing security headers (overlaps with the tools above)
• Default files present (e.g., /readme.html, /license.txt that reveal CMS versions)
• Directory listing enabled on certain paths
• Outdated server software with known vulnerabilities

Nikto generates a lot of output, and some of it will be false positives. Focus on findings that mention specific CVEs (like CVE-2021-XXXXX) or that indicate server software is outdated. These are the actionable items.

How to Prioritize Fixes

After running all five tools, you will likely have a long list of findings. Do not panic. Here is how to prioritize:

Fix First (High Priority)

• Any High-risk finding from OWASP ZAP (especially XSS, SQL injection, authentication issues)
• SSL/TLS grade below B on SSL Labs
• Expired or invalid SSL certificate
• Outdated server software with known CVEs flagged by Nikto
• Exposed admin panels or sensitive files (as we detail in our guide to exposed admin pages)

Fix Soon (Medium Priority)

• Missing HSTS header
• Missing Content-Security-Policy header
• TLS 1.0 or 1.1 still enabled
• Medium-risk findings from ZAP
• Server version disclosure

Fix When You Can (Lower Priority)

• Missing Referrer-Policy header
• Missing Permissions-Policy header
• Low-risk ZAP findings
• Informational Nikto findings

What You Can Fix Yourself

Many of the common findings from these tools can be fixed without deep technical knowledge:

• Security headers: If you use WordPress, plugins like "Headers Security Advanced & HSTS WP" can add missing headers. On Netlify, Vercel, or Cloudflare, you can add headers through configuration files. On Apache or Nginx, headers go in your server configuration.
• SSL/TLS configuration: Most hosting providers have control panels where you can disable TLS 1.0/1.1. If not, contact their support.
• Outdated software: Update your CMS, plugins, and themes. This alone closes many vulnerability windows. Our article on the risks of an outdated website explains why this matters.
• Default files: Delete readme.html, license.txt, wp-config-sample.php, and similar files that reveal your CMS version.

When You Need a Professional

Call in professional help when:

• OWASP ZAP reports High-severity findings and you are not sure if they are false positives
• You handle sensitive customer data (e-commerce, health data, financial information) and need to validate your security posture for compliance
• You want a penetration test, not just a vulnerability assessment
• The findings require server-level changes and you do not manage your own server
• Your website handles payments and you need PCI DSS compliance verification
• You have experienced a security incident and need to understand what happened

A professional security assessment goes beyond what these tools can do. It includes manual testing, business logic testing, authentication flow analysis, and a structured report with remediation guidance. If your business is in Lugano or anywhere in Ticino, we offer security assessments that cover all of this and provide a clear remediation plan.

For a more comprehensive self-assessment, also check our website security checklist for SMEs which provides 15 checks you can run immediately.

Building a Scanning Routine

Running these tools once is useful. Running them regularly is far more valuable. Security is not a one-time check; it is an ongoing process. Here is a simple schedule any business can follow:

Frequency	What to Run	Time Required
Monthly	Mozilla Observatory + SecurityHeaders.com	5 minutes
Quarterly	SSL Labs + OWASP ZAP quick scan	30 minutes
After every deployment	Mozilla Observatory + SSL Labs	10 minutes
Annually	Full ZAP scan + Nikto + consider professional assessment	2-4 hours

Keep a record of your scores over time. If a score drops, something changed that introduced a weakness. This simple habit puts you ahead of the vast majority of SMEs that never test their security at all.